Wraping it together
Now that we have a verification and data insertion function, we need to actually wrap the two together. A simple set of lines like this would suffice.
if((verify()) && ($_POST['receiver_id'] == "BLANKED OUT"))
{
if($_POST['mc_currency'] == "USD") { insert_data(); }
else { /* log for manual investigation */ }
}
else
{
//Either email yourself, or log the incident for manual
//investigation
}The “BLANKED OUT” portion is for your secure merchant ID, this can be seen on your profile page
of your PayPal account, such as this example:
Checking against your Merchant ID is more secure because the number is not stored in your buy now form, nor is it made known to the buyer. It also prevents a potential buyer from paying themselves and using your notification url in order to fake a “valid” transaction that never made it to your own account. Because essentially if someone did pay themselves on paypal, it would be a valid transaction according to paypal’s IPN script if you did not check against the receiver email or secure merchant ID.
It is also usually a good idea to notify yourself of any irregularities or unexpected settings in the transaction, such as receiving funds in a currency you are not familiar with. If so decided you can also check against a buyer’s verified status by looking at $_POST[‘payer_status’] which will return either verified, or unverified.
A successful transaction will have $_POST[‘payment_status’] set to “Completed”.
For a list of more IPN variables such as transaction type, have a look at this page: IPN and PDT Variables.